Earlier this month, a bipartisan group of representatives and senators released a discussion draft of a federal digital privacy bill: the American Data Privacy and Protection Act. It has now moved out of committee and, if passed, would create new legal rights for all Americans regarding the collection, access, and security of their personal data.
This is not the only consumer privacy bill considered by Congress, and there may be others. As written, this bill would align the United States with other nations, such as the European Union, that have thus far set global standards for digital privacy. Introduced in 2018, the European Union’s digital privacy law filled an important gap in regulating consumer privacy. Four years on, the data revealing how the law interacts with innovation and whether it succeeds in its goal of protecting consumers is still unclear. This should give US lawmakers pause to potentially explore more creative solutions for digital privacy.
The Progressive Policy Institute released a comparative report providing a general framework for analyzing privacy legislation across three separate but interrelated layers: legal access, security, and innovation.
Legal access defines what rights individuals have to see, access, update, and delete their data. Security describes the technical responsibilities for protecting collected data. And the third level, innovation, addresses how the laws interact with economic growth.
How does the new bill fit into these layers?
1. Legal Rights
If passed, the ADPPA would codify a set of data collection and access rights for all Americans who share data with private companies. It’s important to note that ADPPA does not apply to government collection or storing of personal data. As noted in PPI’s report analyzing countries’ privacy legislation, Canada, the European Union, and the United Kingdom put some controls on government use of data, but China did not.
ADPPA requires firms that collect consumer data to gain clear “affirmative express consent.” Consent for data disclosure is firmly rooted in the European Union’s landmark data protection law, the General Data Protection Regulation. It is typically solicited via checkboxes on web pages, and the bill requires clear, plain language description of data collection needs. Specifically highlighted in the bill is the right for consumers to opt-out of targeted advertising and a prohibition of targeted advertising to children.
Once the data is collected, ADPPA states that individuals have the right to access, correct, delete, and transfer data about themselves, with private companies; China and the European Union provide similar access rights to citizens. How to exercise these rights must be clearly stated in easy-to-read privacy policies.
Overall, the bill provides very similar data rights as other countries.
2. Security
Global privacy laws typically address security as a principle and design feature, the U.S. bill follows this trend. Without being overly prescriptive, as digital security is highly technical and evolving, it directs data collectors to implement a risk-based approach depending on the level of sensitivity of the data collected. High-risk data includes biometric or genetic information, passport or social security numbers, and private communications like text messages or email.
In line with other data privacy laws around the world, ADPPA requires large data collectors to appoint a data protection officer and to first conduct a data protection impact assessment, which is a plan for data security and risk.
Additional security and privacy measures recommend data minimization (an essential pillar of the GDPR), or restricting data collection to specific uses and deleting data after use. Data minimization is important because if data is not collected or not stored, it can’t be improperly used or exposed. (they direct not recommend, and i write measures and only add one additional measure. Is this bill simply a copy of the GDPR, does it try to be the same thing in the American context. How it relates to the ADPPA discussion.)
3. Innovation
It’s challenging to predict how a privacy law like ADPPA will impact digital innovation. Crucially, a federal privacy law will provide clear guidance for online companies that serve Americans across multiple states. In the current system, where states are passing digital privacy laws only for their residents, a federal law would ease compliance burdens on firms.
Similar to the GDPR, the bill exempts researchers, journalists, and small data holders except for those who derive 50%of their revenue from data sales. However, it does not clarify whether research conducted by big firms for platform improvements or marketing is exempt. The bill’s right to opt-out of targeted advertising and data transfers, which include data sales, may negatively impact certain industries like advertising and data brokers. Additionally, the bill recommends a study for a universal opt-out portal, which could be an innovation, but also could bankrupt the industries that rely on that data.
These provisions have broad implications for the data economy and should be evaluated carefully. Notably missing from the bill are recommendations for studies of other privacy-preserving technologies or security technologies. To assess the full impacts on innovation it requests an economic impact study five years after the enactment of the Act.
Conclusion
This draft bill is the newest of many privacy bills to be considered by Congress. Many of its provisions mirror the GDPR, as many global privacy laws do, with a major exception that this law does not apply to government data collection.
A key point of consideration for American legislators as they consider this bill is that it replicates many statutes from the GDPR. Enacted in 2018, we still don’t yet know the full impact of regulations like the GDPR on long-term digital innovation or whether its consumer protections are effective, but more information is coming out all the time. A new study from the University of Oxford in 2022 found that small business profits were most affected by the GDPR regulation. A National Bureau of Economic Research study found that the GDPR decreased the number of apps on the Google Play app store and depressed new entrants into the app market. As of the writing of this post, this author found no data detailing the state of data breaches since the introduction of the GDPR.
It’s undoubted that consumers deserve enhanced transparency and protection of their personal data online. If ADPPA passes, it would provide new data collection and protection rights for Americans which is an essential step toward digital privacy. But remember that the United States has a unique and strong innovation culture that is not necessarily well-reflected in the GDPR and other similar global privacy legislation. Those approaches shouldn’t be the only model being considered by lawmakers to enhance digital privacy. Congress has the opportunity to use existing research and data on alternative privacy-protecting technologies and ideas to set new global standards.
